Ultra Intelligence & Communications

PLC Security: Are you treating the symptom or the cause?

May 13th, 2014 / By

With the increasing numbers of high-profile attacks in the news, you should ask yourself if the security controls you have in place today would prevent an attack to your system.  Do you know where attackers will strike next? And most importantly are you protected against it?  Attacks usually target the weakest links and the reality is that in most industrial control facilities the weak links are the end-devices such as the programmable logic controllers (PLCs) or similar non-PC embedded computer.

The past 10 years have seen extraordinary progress in advances to industrial control system (ICS) cybersecurity.  The good news is that almost every industry sector has taken notice of the threats. Decision makers are pursuing standards and best practices (e.g. ISA99/IEC62443) for improved and assured systems safeguards.  The bad news is that these standards and practices are often implemented the same way: define a critical system’s perimeter, erect perimeter defenses and control what comes in and out. This results in a false sense of security and mitigated risk.

Segregated-Enclave Security – A Temporary Fix
The current methodology has resulted in a preponderance of so-called “secure systems” through the use of data-diodes or gateways, which are really just networks of segregated-enclaves with restricted access between themselves and from public networks. This is a good first step, and can be used to protect against the legacy and standard methods of attack, but is only a temporary fix against a dedicated attacker trying to penetrate the network.  The real issue is that it is just a matter of time before the perimeter is breached, and once inside the perimeter (or enclave) there are no protections preventing an attacker from doing whatever they like, and so the damage is done. Which leads to the next question, is this the only threat that should concern you?

Hackers typically come through a publically accessible interface and make their way to the control domain, preferring easy, less risk entry points.  The best-practice approach to install stronger perimeter defenses may eliminate one attack vector but will cause the attacker to simply try an alternative method.  If they do are you protected against it, or have you succeeded in assisting the attacker toward your unprotected flank?  A PLC for instance, is not a secure device and, if an attack breaches the perimeter, it will still succeed.

With each security control and architecture design, we should be asking ourselves if our system or feature prevents a vulnerability from exploitation, or just prevents an attack vector. In many industrial control systems, the core vulnerability is the PLCs. When operated correctly a PLC is one of the most reliable devices we operate, yet if told to do something unexpected or non-standard, it more often than not fails or malfunctions. Therefore an attacker wanting to cause physical damage or impact a facility’s operations can just interfere with PLC communications.

New Methods of Breaching a Network’s Perimeter
Stuxnet infected air-gapped systems through infected USB sticks, engineers continue to bring devices and computers on-site when providing maintenance, and vendors still have remote access to client systems over dedicated links. Trying to guess and mitigate the next attack vector is a cat-and-mouse game that the defender will not win. The truth is that embedded systems don’t have adequate security. They continue to be at risk of an attacker maliciously interfering with them, their controlling computers and the network they connect too. If we want to protect a system, we need to eliminate the vulnerability, not prevent the attack vector. Once attackers can communicate on a network, they can interfere with control communications, disrupt timing messages, send damaging messages to the controllers, or simply conduct a denial of service attack against a system or component.

Drop-boxes are new low-cost disposable computers that are rapidly being adopted by hackers.  They are often left within a victim’s facility to act as a physical Trojan horse, allowing an attacker to gain a permanent foothold into the system. Cheap but powerful computers such as the Raspberry Pi or Arduino combined with hacker toolkits such as Kali and a disposable cell phone give attackers an easy way to hack a network for less than $100.

This is exactly the concept that Stephen Hilt demonstrated at the recent Digital Bond S4 conference with his ‘PLCpwn’ device. Recent news reports have even shown the ability to equip USB or Ethernet cables with hidden radios that allow government hackers to secretly access a network or computer. For less than the price of a nice dinner, and a weekend’s effort, almost anyone can build a penetration device that can be slipped into a pocket, surreptitiously connect it to the network, and use it to remotely access systems anytime and from anywhere they desire. For ease of use and low risk, this vector is highly attractive to attackers, and currently circumvents virtually every standard protection and guidance.

Would You Prefer a Mask or a Vaccine?
If the vulnerability is in the controller, we should be building security walls at the network perimeter and providing end-point protection for our embedded systems.  Think of it this way, if you were faced with an immediate risk of contracting a harmful plague, would you prefer a mask or a vaccine? We should be looking forward to all the other types of attack vectors, not just those seen in the past. We should be actively recommending vulnerability mitigations rather than preventing attack vectors.